From: Ralf Staudemeyer <rstaudemeyer@uwc.ac.za>
To: lartc@vger.kernel.org
Subject: [LARTC] management of virus and p2p-traffic
Date: Mon, 21 Jun 2004 17:36:02 +0000 [thread overview]
Message-ID: <1087839362.4786.0.camel@turtle> (raw)
Hi
I have to manage a network with approx. 200 users, a 256kbit/s unmanaged
Internet connection and a 3Mbit/s unreliable managed Internet connection
(only http/ftp-proxy and ssh available). All users are in one Class C
Subnet with 512 IP-Addresses. 60% of the machines are Windows. The rest
are SUN and Linux. At the moment Windows viruses and p2p-traffic eats
most of our bandwidth.
My Aims are:
- inform Windows users with a virus problem; limit their traffic to http
over proxy
- allocate different bandwidth to different user groups on port level
(to limit p2p traffic) depending on time (day/night)
- allocate different amounts of traffic to groups and reduce the night
bandwidth of user groups who exceed their daily limit
- prevent that users get access to a different group by simply taking an
IP address from a different group without creating an access control
list with IP/MAC Pairs
- users should be able to monitor the bandwidth usage of their group on
a web page
- the 3Mbit/s uplink should be used whenever possible/available (ssh +
ftp/http proxy)
- preserve privacy of users as far as possible
The idea is to split the network using transparent bridgewalls. This
should manage the traffic on port level for each group using Netfilter
in Bridge Mode and using IPP2P to limit P2P-traffic. Group limitations
should be implemented here.
A firewall should be installed on the gateway to the Internet. The
firewall should do NAT and have a QoS setup managing and monitoring the
real outgoing traffic. I plan to use the cookbook example 15.10 from the
lartc as a base.
My question is if there are known running solutions out there that would
fit these aims? The Windows machines with their viruses give me a
headache. I do not want to enforce remote Windows patching and
virusscanner updating. It should also be taken into account that there
is nearly no money available for any special equipment. Best would be to
get this job done with a couple of old computers.
Another question is that I want to know if it is advisable to split
traffic filtering and traffic management/monitoring.
I would appreciate any help.
Regards
Ralf
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next reply other threads:[~2004-06-21 17:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-21 17:36 Ralf Staudemeyer [this message]
2004-06-21 21:06 ` [LARTC] management of virus and p2p-traffic Ed Wildgoose
2004-06-22 4:59 ` Jason Boxman
2004-06-22 10:34 ` Ralf Staudemeyer
2004-06-22 11:20 ` Ed Wildgoose
2004-06-22 15:05 ` Ralf Staudemeyer
2004-06-22 16:01 ` Ed Wildgoose
2004-06-22 16:45 ` Ralf Staudemeyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1087839362.4786.0.camel@turtle \
--to=rstaudemeyer@uwc.ac.za \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.